An n Emp Empir iric ical Ana naly lysis s of of Anon nonymit - - PowerPoint PPT Presentation

An n Emp Empir iric ical Ana naly lysis s of

• f Anon

nonymit ity in n Zcash

George Kappos, Haaroon Yousaf, Mary Maller, Sarah Meiklejohn University College London

Zcon0: 26/06/2018

What level of anonymity do users obtain by using Zcash?

2 of 23

• In many cases we identify the activity of founders and miners using

private transactions.

• Implication is a significant shrink to the effective anonymity set for

regular users.

• The developers of Zcash have already implemented some of our

suggested fixes.

3 of 23

Our Contributions

Ingredients:

• 1. Some simple heuristics

for linking user activity.

4 of 23

Zcash uses a Shielded Pool

Transparent to Transparent Transparent to Private Private to Private Private to Transparent

5 of 23

Zcash uses a Shielded Pool

Transparent to Transparent

Can often be deanonymised.

Private to Private

6 of 23

Zcash uses a Shielded Pool

Transparent to Transparent

We did NOT deanonymised.

Private to Transparent Private to Private

Hides destination address, sender address, and payment amount.

7 of 23

Zcash uses a Shielded Pool

Transparent to Private Private to Transparent

Hides destination address. Hides sender address.

Blockchain statistics

8 of 23

Blockchain statistics

• About 85% of

transactions are public i.e. transparent or newly generated coins.

9 of 23

Blockchain statistics

• Very few

transactions are private to private

10 of 23

11 of 23

Miners and Founders

• All new coins go to either the

miners or the founders.

• New coins are required to be

sent to the shielded pool before they can be spent.

12 of 23

Miners and Founders

• Tracked coins being put into the

pool.

• Founders addresses are public

so can be identified.

• Miners addresses can be

identified from coin generation transactions.

13 of 23

Blockchain statistics

• Most of the coins

put into the pool are immediately removed again.

14 of 23

Miners and Founders

We could associate 69% of the activity surrounding the shielded pool with miners and founders, leaving 31% left as the anonymity set for regular users.

15 of 23

Identifying Founders

• 75% of founder transactions into the pool were of the value 249.9999

ZEC.

• Found 1,953 withdrawals of exactly 250.0001 ZEC.
• Found correlation in block interval between deposits and withdrawals.

250 ZEC 250 ZEC 250 ZEC 250 ZEC 250 ZEC 250 ZEC

16 of 23

Identifying Miners

• Most mining activity comes from mining pools.
• Some pools engaged with the shielded pool in a

predictable fashion.

• We identified withdrawals as belonging to a miner if it

had over 100 recipients, with one of them belonging to a known mining pool. Transaction from explorer.zcha.in Image of mining pool distribution from explorer.zcha.in

17 of 23

Consequences

What does this mean for other users?

18 of 23

Identifying Users

• Used Jeffrey Quesnelle heuristic which links deposit

and withdrawal transactions if they had exactly the same value and this particular value was unique in the whole blockchain.

• Correlated 28.5% of all coins ever deposited in the

pool.

• Most (87%) of the linked coins were in transactions

already attributed to the founders and miners.

19 of 23

Case Study: The Shadow Brokers

• The Shadow Brokers (TSB) are a hacker collective that sell and distribute tools

supposedly created by the NSA.

• One cluster sent transactions to the shielded pool with amounts and timings that

corresponded to TSB’s sale activity.

• The cluster belonged to a new user.
• Most of their coins from Bitfinex.

Price of monthly dump in ZEC.

20 of 23

Recommendations to Users

• Do not mint and spend coins in the same block. Ideally keep part
• f your wallet shielded to use at a later date.
• Do not deposit and withdraw the exact same amount.
• When taking change from a shielded transaction, store the

change in a shielded address rather than a transparent address.

• Try to ensure that withdrawal addresses cannot be linked to

deposit addresses using standard bitcoin clustering techniques.

21 of 23

Recommendations to Developers

Recommendation Solutions in progress Do not rely on user or miner behaviour for security. Have a less recognisable pattern when withdrawing founders rewards. Try to help more people use the shielded functionality of Zcash. Ultimately, none of our heuristics would work on a fully anonymous system.

22 of 23

Recommendations to Developers

Recommendation Solutions in progress Do not rely on user or miner behaviour for security. Wallet upgrades. Have a less recognisable pattern when withdrawing founders rewards. Developers have already done this. Try to help more people use the shielded functionality of Zcash. One of the aims of the Sapling upgrade. Ultimately, none of our heuristics would work on a fully anonymous system. Weigh up the technical and legal consequences of a fully anonymous system.

23 of 23

Recommendations to Developers

Ultimately, none of our heuristics would work on a fully anonymous system. Weigh up the technical and legal consequences of a fully anonymous system. Shameless plug: follow our work on updatable and universal common reference strings for zk-SNARKs.

Thank-you for listening